Healthcare and Cyber Risk

Introduction

The healthcare industry has witnessed a startling increase in cyber-attacks and events over the last five years. Last year, the average number of records exposed per breach was 1.6 million records, and the average recovery expense a shocking $157,000. With healthcare claims representing 28% of US breach costs it is clear that it is a sector in which cybersecurity cannot be ignored.

Specific Concerns/ Risks

Healthcare providers collect, manage and process huge volumes of patient records and data including protected health information (‘PHI’) and personally identifiable information (‘PII’). This data is of high worth to hackers who can use the sensitive information to collect ransom payments or sell it on the dark web. Additionally, the loss of such records can result in significant costs; from notification costs in advising affected individuals and authorities, to restoration costs, fines and penalties, liabilities arising out of the breach of privacy, and long-term financial and reputational damage.

The reliance of the healthcare industry on old technology and legacy systems means that they are prone to serious glitches and are seen as an ‘easy target’ for hackers. Past examples have shown the ease with which hackers can access data and cause widespread system interruption and failure. The inability to immediately access systems and records could cause issues in the administering of medications, supplies, and could even affect medical equipment – potentially resulting in bodily injury and/or death.

With extensive employee networks comes the necessity for frequent and coherent training around cyber risk and IT security. Failure to train staff properly leaves the healthcare entity exposed to the related operational risks: human error, failure to secure network integrity, and difficulty in managing data breaches.

Healthcare regulations around data breaches are extremely strict and failure to comply with the regulations stipulated by HIPAA and HITECH can result in significant fines and penalties. Regulations require prompt and complete notification to all affected individuals, the Office of Civil Rights, and in some cases, media outlets. Under HIPAA regulations, a breach consisting of over 500 PHI records means that the entity will also appear on a publicly accessible list of breached healthcare entities, published by the Office of Civil Rights, which can have a long lasting reputational impact.

Types of Cyber Claims

In January 2015 the largest US health insurance company suffered a breach in which 78.8 million patient records were stolen, including sensitive data such as names, social security numbers, home addresses and dates of birth. The organisation was fined $115 million to settle litigation.

The second largest US health insurer recorded the world’s largest healthcare data breach in February 2016 following a sophisticated external cyber-attack. Around 80 million records were compromised, which included sensitive healthcare information, personally identifiable information and financial data.

In 2016 a hospital based in LA suffered a ransomware attack which rendered their internal computer systems inoperable. Doctors were unable to administer medications efficiently or access medical records. The computer systems were down for over a week, with hackers only releasing them once they had been paid in bitcoin a considerable ransom demand.

Risk Transfer

Comprehensive cyber insurance not only offers financial support following a breach, but also includes risk mitigation support to prevent the risk happening in the first place. Considering the high-risk landscape in which Healthcare organisations are operating, it is essential that cyber risk management is treated as a top priority. A Safeonline Cyber policy offers first and third-party coverage, to ensure that the healthcare organisation is comprehensively protected. Additionally, it includes complementary pre and post breach services and can be tailormade to provide the best cyber solution to fit the differing requirements of the healthcare sector.

Safeonline LLP encourages everyone in the UK to follow Government advice and to stay inside as much as possible during this national emergency. It is the only way to save our NHS and the lives of many.

Safeonline are well versed in agile and remote working and continue to operate as normal, despite the tricky times. Please do not hesitate to get in touch should you require assistance with any current or new placements.